An unidentified attacker compromised applications used by several Pakistani organizations and delivered ShadowPad, the successor to the PlugX backdoor commonly associated with Chinese hacking groups.
According to Trend Micro, targets included Pakistani government agencies, public sector banks, and telecom providers. Infection occurred between mid-February 2022 and September 2022.
The cybersecurity firm said the incident could have been the result of a supply chain attack. The attack trojanizes the legitimate software used by the victim and deploys malware that can gather sensitive information from the compromised system.
The attack chain comes in the form of a malicious installer. electronic officeis an application developed by the Pakistan National Information Technology Board (NITB) to assist in going paperless in the government sector.
It is currently unknown how the backdoor E-Office installer was delivered to the target. That said, there is currently no evidence that the build environment of the Pakistani government agency in question has been compromised.
This makes it more likely that the attacker obtained a legitimate installer and modified it to include the malware, then lured the victim into running the trojanized version through a social engineering attack.
โThree files have been added to the legitimate MSI installer: Telerik.Windows.Data.Validation.dll, mscoree.dll and mscoree.dll.dat,โ said Trend Micro researcher Daniel Lunghi. Said In the latest analysis published today.
Telerik.Windows.Data.Validation.dll is a valid applaunch.exe file signed by Microsoft. Sideloading DLLs Used to sideload mscoree.dll, which loads mscoree.dll.dat. ShadowPad payload.
Trend Micro reported that the obfuscation techniques used to hide the DLL and the decrypted last-stage malware were identified as Positive in January 2021 in connection with Chinese cyber espionage operations conducted by the Winnti group (aka APT41). Said to be an evolution of the approach previously published by Technologies.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
Besides ShadowPad, post-exploitation activities involve the use of: Mimi Katz Dump passwords and credentials from memory.
While the identification of known threat actors is hampered by a lack of evidence, a cybersecurity firm has announced that it has discovered malware samples such as Deed RAT believed to be from a space pirate (or webworm) threat actor.
โThis entire campaign involved highly capable actors acquiring and modifying government application installers to compromise at least three sensitive targets,โ said Lunghi.
โThe fact that this threat actor has access to the latest version of ShadowPad may be related to its ties to Chinese threat actors, but we cannot confidently point to a specific group. โ
